Ethereum Smart Contract Vulnerabilities and Security Detection

I. Security Status of Smart Contracts

When a vulnerability in smart contract security is exposed, it also plummets the coin market. Hackers can easily exploit the holes to make unlimited issues and free transfer of virtual currencies. According to the Blockchain Industry Security Analysis Report from the Baimaohui Security Institute, problems related to smart contract security have led to a loss of $1.24 billion USD, accounting for 43.3% of the total loss.

Frequent smart contract security breaches have cast huge doubts regarding Ethereum, greatly affecting the development and popularity of blockchain technology in the early stage.

This article shall analyze the current smart contract vulnerabilities in detail, and offer a brief review of current detection methods for smart contract vulnerabilities, as well as recommendations for security coding.

II. Key Analysis of Smart Contract Vulnerabilities

1) Integer Overflow

The Ethereum Virtual Machine (EVM) uses stack to simulate memory space, but the management and protection mechanism for the stack is not perfect. For contract computing, the stack should be rigorously monitored to avoid overflow. In particular, transfer functions should be meticulously examined. The currently known SMT, BEC, EDU and BAI smart contracts all have problems with integer overflow in the transfer logic system, resulting in unlimited issues or unrestricted transfers of tokens.

Case 1: SMT Vulnerability

Contract Address:

0x55F93985431Fc9304077687a35A1BA103dC1e081

Analysis:

Vulnerability in the contract exists in transferProxy, a transfer function anyone can access. The address of both parties, the commission, and amount of transfer can be specified by the parameters entered.

By manipulating the transfer amount and service fee, perpetrators can acquire a huge sum of SMT virtual currencies for nothing.

Real Case Study:

The perpetrator initiated an integer overflow by accessing the transferProxy function and entering 8ff…f, 700…0 to successfully steal 6.5 SMT1060 currency.

Case 2: Meitu BEC Vulnerability

Contract Address:

0xC5d105E63711398aF9bbff092d4B6769C82F793D

Here is the test result from RatingToken:

Analysis:

After the vulnerability was publicized, BEC coins that had soared 4,000% in value at their height instantly dropped to zero for a catastrophic loss.

Real Case Study:

The perpetrator enters 800…0 and 000…02 for multiplication overflow, generating nearly 5.7 BEC1060 coins.

From the two cases above, we see that overflow vulnerabilities of smart contracts can be easily exploited by perpetrators with catastrophic impact. Therefore, we recommend examining the overflow problem thoroughly when coding smart contracts and using the safeMath secured computing kit.

2) Transaction Sequence Dependency

This vulnerability was brought up by Loi Luu, et al. from the National University of Singapore. They pointed out that during the execution stage of smart contracts, initiating a different function sequence may generate different output, resulting in logic vulnerability. Based on the cases they provided, we analyzed the loophole:

The function implemented by this contract currently allowed a user to receive pay from a contract drafter after completing Puzzle().

Given the analysis above, we can see that coding of smart contracts is open, released in advance and immutable. However, the security holes are extremely difficult to detect, and users are susceptible to fraud and great losses.

III. Testing Smart Contract for Vulnerabilities

As a large data-rating agency, RatingToken, has officially launched vulnerability-detection function for smart contracts online, the very first such offering for coin users in China. RatingToken inspects the contract addresses and codes of all listed projects, then performs machine learning-based model screening, GAN, and standardized verifications to identify high-risk items with contract vulnerabilities and fraudulent addresses.

Currently the website is capable of detecting the following vulnerabilities: Overflow, external access, unusual behavior, glitches and logic circuit. The website provides one-click smart contract scan, enabling users to easily access the vulnerability report of a smart contract and lower investment risk.

Related posts:

Are you fed up with the sound of a constantly dripping faucet? Do you feel like you’ve exhausted every possible fix and repair option? Don’t despair! You don’t have to hire a professional to fix that…

when you love someone as a whole,. “loving you as a whole” is published by a n o n i m..

The command group contract is for building, deploying, upgrading, and interacting with Smart Contracts. The last is an optional argument template with which we specify the template to use. We use…